tutorial for multi-hop shadowsocks servers

[hadifarnoud]

Hello
As you may know, Iran blocked access to free internet a few days ago due to unrest. As a result, they are aggressively blocking all VPN servers.

The only way we found working was a multi-hop setup with one server in Iran and the other outside Iran.

I cannot find any tutorial for that anywhere. Having a censorship-resistant multi-hop setup would work for situations like today.

I lack technical knowledge for this kind of setup. Please consider publishing a tutorial

Thank you,
Hadi

[orca-glo]

Hadi, I think Lantern has been working for at least some folks in Iran - maybe you can give that a try? https://lantern.io

[wkrp]

@hadifarnoud, can you be more specific about what you mean by multi-hop? My interpretation is:

Client A

in Iran

Server A

in Iran

Server B

outside Iran

Client A makes a Shadowsocks connection to Server A. (No national border crossed in this hop.) Then Server A makes a separate Shadowsocks connection to Server B. (Across the border.) Is that right?

[gfw-report]

Hi Hadi, I assume you wanted a "multi-hop Shadowsocks" setup because you cannot connect to your Shadowsocks server directly from home; but you can connect to it from some Iranian datacenters. It has been observed before that traffic from Iranian datacenters was allowed, but traffic from the residential network was blocked.

If this is the case, this forwarding plan by Shadowsocks community may work for you. Note that this forwarding plan works for other application-layer circumvention tools other than Shadowsocks as well because it works on IP- and transport-layer.

---

Below is a tutorial using Outline as an example:

Say you have an Outline server (2.2.2.2) listening on port 22222 outside of Iran; however, since you cannot connect to the server (2.2.2.2) directly from home, you want to setup a relay server (1.1.1.1) listening on port 11111 in the Iranian datacenter to relay your traffic:

Outline Client (home in Iran) <---> Relay Server (1.1.1.1:11111, Iranian datacenter) <---> Outline Server (2.2.2.2:22222, outside of Iran)

Then all you need to do is:

1. Replace the four variables in the following script DST_SERVER_IP, DST_SERVER_PORT, RELAY_SERVER_IP, RELAY_SERVER_PORT with the actual values:

#!/bin/bash

set -x
set -e

## Replace DST_SERVER_IP and DST_SERVER_PORT with actual value
DST_SERVER_IP="2.2.2.2"
DST_SERVER_PORT="22222"

## Replace RELAY_SERVER_IP and RELAY_SERVER_PORT with actual value
RELAY_SERVER_IP="1.1.1.1"
RELAY_SERVER_PORT="11111"

sudo iptables-save > "iptables-rules-backup-$(date '+%Y-%m-%d-%H:%M:%S').v4"

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

sudo iptables -t nat -A PREROUTING -p tcp --dport "${RELAY_SERVER_PORT}" -j DNAT --to-destination "${DST_SERVER_IP}:${DST_SERVER_PORT}"
sudo iptables -t nat -A PREROUTING -p udp --dport "${RELAY_SERVER_PORT}" -j DNAT --to-destination "${DST_SERVER_IP}:${DST_SERVER_PORT}"

sudo iptables -t nat -A POSTROUTING -p tcp -d "${DST_SERVER_IP}" --dport "${DST_SERVER_PORT}" -j SNAT --to-source "${RELAY_SERVER_IP}"
sudo iptables -t nat -A POSTROUTING -p udp -d "${DST_SERVER_IP}" --dport "${DST_SERVER_PORT}" -j SNAT --to-source "${RELAY_SERVER_IP}"

2. Copy and paste the script you just modified to the Relay Server (1.1.1.1) as forwarding.sh.
3. Execute the modified script: sudo bash forwarding.sh.
4. (Optional) Don't panic if you accidentally put in a wrong IP address or port, because you can always restore to the previous iptables rules with sudo cat iptables-rules-backup-2022-09-20-00:00:00.v4 | sudo iptables-restore. (Your filename will be different.)

Finally,

5. Change the IP address and port in the original Outline link from Outline server to your Relay server. In this example, from ss://Y2hhY2hKMjAtaWV0Zi1wb2x5MTMwNTp0aEltbzE3ZzZDTzM@2.2.2.2:22222/?outline=1 to ss://Y2hhY2hKMjAtaWV0Zi1wb2x5MTMwNTp0aEltbzE3ZzZDTzM@1.1.1.1:11111/?outline=1.
6. Paste the changed link to your Outline client and you should be able to connect to the server now!

[smf8]

one solution that currently works is v2ray.

I use the following schema to bypass restrictions:

Client (v2ray or shadowsocks) -> v2ray shadowsocks inbound (Iran) -> v2ray shadowsocks/VMess outbound (Iran) -> v2ray shadowsocks/VMess inbound (DE) -> freedom

There are plenty of obfuscation/encryption options but I think the simplest way is to use shadowsocks with HTTP obfuscation.

Iran config:

{
  "log":{
    "logLevel": "warning"
  },
  "inbounds": [
    {
      "tag": "in-shadow",
      "port": "1470",
      "listen": "0.0.0.0",
      "protocol": "shadowsocks",
      "settings": {
        "method": "aes-256-gcm",
        "password": "secret",
        "network": "tcp"
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "shadowsocks",
      "settings": {
        "servers": [
          {
            "address": "Free VPS ip",
            "port": 1472,
            "method": "aes-256-gcm",
            "password": "super_strong_secret"
          }
        ]
      },
      "streamSettings": {
        "network": "tcp" ,
        "tcpSettings": {
          "header": {
            "type": "http",
            "request": {
              "version": "1.1",
              "method": "GET",
              "path": ["/"],
              "headers": {
                "Host": ["www.softqloud.com", "aws.amazon.com"],
                "User-Agent": [
                  "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36" ,
                  "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/53.0.2785.109 Mobile/14A456 Safari/601.1.46"
                ],
                "Accept-Encoding": ["gzip, deflate"],
                "Connection": ["keep-alive"],
                "Pragma": "no-cache"
              }
            }
          }
        }
      },
      "tag": "out-shadow"
    },
    {
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      },
      "tag": "blockout"
    },
    {
      "protocol": "freedom",
      "tag": "direct"
    }
  ],
  "dns": {
    "servers": ["8.8.8.8","https://1.1.1.1/dns-query", "localhost"]
  },
  "routing": {
    "domainStrategy": "IpOnDemand",
    "rules": [
      {
        "type": "field",
        "ip": ["geoip:ir"],
        "domain": [
          "regexp:\\.ir$"
        ],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "ip": ["geoip:private"],
        "outboundTag": "blockout"
      },
      {
        "type": "field",
        "inboundTag": ["in-shadow"],
        "outboundTag": "out-shadow"
      }
    ]
  }
}

DE (anywhere with free internet access):

{
  "log":{
    "logLevel": "warning"
  },
  "inbounds": [
    {
      "tag": "direct_shadow",
      "port": 1472,
      "listen": "0.0.0.0",
      "protocol": "shadowsocks",
      "settings": {
        "method": "aes-256-gcm",
        "password": "same as super_strong_secret",
        "network": "tcp"
      },
      "streamSettings": {
        "network": "tcp" ,
        "tcpSettings": {
          "header": {
            "type": "http",
            "response": {
              "version": "1.1",
              "status": "200",
              "reason": "OK",
              "headers": {
                "Content-Type": [
                  "application/octet-stream",
                  "video/mpeg",
                  "application/x-msdownload",
                  "text/html",
                  "application/x-shockwave-flash"
                ],
                "Transfer-Encoding": [
                  "chunked"
                ],
                "Connection": [
                  "keep-alive"
                ],
                "Pragma": "no-cache"
              }
            }
          }
        }
      }
    }
  ],
    "outboundDetour": [
      {
        "protocol": "blackhole",
        "settings": null,
        "tag": "blocked"
      }
    ],
  "outbound": {
    "protocol": "freedom" ,
    "tag": "direct"
  },
    "dns": {
      "servers": ["8.8.8.8","https://1.1.1.1/dns-query", "https://dns.google/dns-query", "localhost"]
    }
}

You can elaborate this config however you like, for example use VMess for VPS communication or add TLS. But I think UDP protocol will be blocked, so don't use any transport with UDP as backend(mKCP or QUIC).

Also, these configurations are for v2ray version 4.x.x

[meskio]

I've documented a similar setup for a tor bridge here: #127

[oussjarrousse]

I assume the situation in Iran will drag on.
Do you also expect authorities to ultimately and systematically enforce the same censorship rules on all providers?
Or do we know that certain networks will be spared from such measures (due to financial reasons for example, or some other considerations...)?

[smf8]

Currently, mobile networks are affected the most by censorship. At certain times of day (normally 5 pm - 12 am) these networks can only access internal services. Residential networks (home and organizations) have only limited access (UDP traffic is widely blocked and most famous VPN protocols are blocked with DPI). Some data centers have stable connections to the internet, but they are affected by VPN protocol blockage as well. The situation has only gotten worse in the past few days.

[massoudasadi]

things got worse now only multi-hub ssh tunneling works on mobile carriers

[cursedwraith]

Currently, mobile networks are affected the most by censorship. At certain times of day (normally 5 pm - 12 am) these networks can only access internal services. Residential networks (home and organizations) have only limited access (UDP traffic is widely blocked and most famous VPN protocols are blocked with DPI). Some data centers have stable connections to the internet, but they are affected by VPN protocol blockage as well. The situation has only gotten worse in the past few days.

so sad :( do you have any suggestion ? looking for new config that works on mobile carriers. i can set up relay

[smf8]

I provided a v2ray config

one solution that currently works is v2ray.

It's not perfect, but it will allow you to bypass network restrictions.

[xerqus]

hello guys
right now i have access to internet without restriction trough ssh tunneling to my VPS and speed is awesome , my problem is i cant use ssh tunneling with UDP protocol , do u have any idea how can i use use udp over ssh
regards

[hadifarnoud]

I provided a v2ray config

one solution that currently works is v2ray.

It's not perfect, but it will allow you to bypass network restrictions.

I tried to setup v2ray with Iran IPs going directly to ISP, but failed with geoip.dat error. If all my traffic goes to one IP address, they will block it

[nimatrueway]

I provided a v2ray config

one solution that currently works is v2ray.

It's not perfect, but it will allow you to bypass network restrictions.

I tried to setup v2ray with Iran IPs going directly to ISP, but failed with geoip.dat error. If all my traffic goes to one IP address, they will block it

run a torrent seedbox (with deluged) on the same server and things will look much more normal.